Edit tour

Windows Analysis Report
mzQcZawXvh.exe

Overview

General Information

Sample Name:	mzQcZawXvh.exe
Analysis ID:	589699
MD5:	514837c22746ae83fad96926ad2ddf83
SHA1:	e23e87f578c20f743ca1460d5e744c10b629cc16
SHA256:	beced991de014438e5a42627fd44721a06fd4fa67b8a58319fc00eb6316169a1
Tags:	BitRATexeRAT
Infos:

Detection

BitRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected BitRAT

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Hides threads from debuggers

Machine Learning detection for sample

Injects a PE file into a foreign processes

Contains functionality to hide a thread from the debugger

C2 URLs / IPs found in malware configuration

Possible FUD Crypter (malicious underground PE packer) detected

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Installs a global mouse hook

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

mzQcZawXvh.exe (PID: 5872 cmdline: "C:\Users\user\Desktop\mzQcZawXvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83)

mzQcZawXvh.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\mzQcZawXvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83)

cleanup

Malware Configuration

Threatname: BitRat

{"Host": "toopdyno2.duckdns.org", "Port": "55140", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "3cd2623273605167e72c665ad9347c60", "Tor Process Name": "tor"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.252764032.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.252764032.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000000.251383367.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.251383367.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000000.246514986.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.246514986.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000000.247549851.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.247549851.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000000.245538304.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.249134372.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.249134372.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000000.253448623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.253448623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000001.00000002.555783700.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000002.555783700.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
00000000.00000002.257225352.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
Process Memory Space: mzQcZawXvh.exe PID: 5872	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
Process Memory Space: mzQcZawXvh.exe PID: 5012	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.mzQcZawXvh.exe.400000.5.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.3.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.0.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.1.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.2.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.10.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.10.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.11.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.11.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.9.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.9.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.4.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.4.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.7.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.7.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.5.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.5.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.2.mzQcZawXvh.exe.400000.0.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.2.mzQcZawXvh.exe.400000.0.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.8.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.8.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.2.mzQcZawXvh.exe.400000.0.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.2.mzQcZawXvh.exe.400000.0.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.6.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.6.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.10.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.10.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.6.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.6.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
0.2.mzQcZawXvh.exe.24e15a0.1.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
0.2.mzQcZawXvh.exe.24e15a0.1.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x339bf0:$s1: \plg\ 0x339d70:$s3: files_delete 0x3389bc:$s9: ddos_stop 0x339bd0:$s10: socks5_srv_start 0x339db8:$s16: klg\| 0x3389ec:$s17: Slowloris 0x339c60:$s18: Bot ID: 0x33a198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.8.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.8.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
0.2.mzQcZawXvh.exe.24e15a0.1.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
0.2.mzQcZawXvh.exe.24e15a0.1.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.11.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.11.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.7.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.7.raw.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33bbf0:$s1: \plg\ 0x33bd70:$s3: files_delete 0x33a9bc:$s9: ddos_stop 0x33bbd0:$s10: socks5_srv_start 0x33bdb8:$s16: klg\| 0x33a9ec:$s17: Slowloris 0x33bc60:$s18: Bot ID: 0x33c198:$t1: <sz>N/A</sz>
1.0.mzQcZawXvh.exe.400000.9.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.mzQcZawXvh.exe.400000.9.unpack	MALWARE_Win_BitRAT	Detects BitRAT RAT	ditekSHen	0x33abf0:$s1: \plg\ 0x33ad70:$s3: files_delete 0x3399bc:$s9: ddos_stop 0x33abd0:$s10: socks5_srv_start 0x33adb8:$s16: klg\| 0x3399ec:$s17: Slowloris 0x33ac60:$s18: Bot ID: 0x33b198:$t1: <sz>N/A</sz>
Click to see the 36 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\Desktop\mzQcZawXvh.exe" , CommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\mzQcZawXvh.exe, NewProcessName: C:\Users\user\Desktop\mzQcZawXvh.exe, OriginalFileName: C:\Users\user\Desktop\mzQcZawXvh.exe, ParentCommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , ParentImage: C:\Users\user\Desktop\mzQcZawXvh.exe, ParentProcessId: 5872, ProcessCommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , ProcessId: 5012

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
mzQcZawXvh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: BitRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mzQcZawXvh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: BitRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
mzQcZawXvh.exe